From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:46641)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <peter.maydell@linaro.org>) id 1Yd0UG-0007Wc-5S
	for qemu-devel@nongnu.org; Tue, 31 Mar 2015 14:02:04 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <peter.maydell@linaro.org>) id 1Yd0UA-00043x-DR
	for qemu-devel@nongnu.org; Tue, 31 Mar 2015 14:02:03 -0400
Received: from mail-ig0-f176.google.com ([209.85.213.176]:34909)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <peter.maydell@linaro.org>) id 1Yd0UA-00043r-9e
	for qemu-devel@nongnu.org; Tue, 31 Mar 2015 14:01:58 -0400
Received: by igcau2 with SMTP id au2so25886043igc.0
	for <qemu-devel@nongnu.org>; Tue, 31 Mar 2015 11:01:57 -0700 (PDT)
MIME-Version: 1.0
In-Reply-To: <1427151502-14386-2-git-send-email-berrange@redhat.com>
References: <1427151502-14386-1-git-send-email-berrange@redhat.com>
	<1427151502-14386-2-git-send-email-berrange@redhat.com>
From: Peter Maydell <peter.maydell@linaro.org>
Date: Tue, 31 Mar 2015 19:01:37 +0100
Message-ID: <CAFEAcA_ad6-yj4oDi1oAL1tmV7e8HEPjAEe0n_Wa-v8FfWWPXw@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [Qemu-devel] [PATCH 1/2] CVE-2015-1779: incrementally decode
 websocket frames
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Daniel P. Berrange" <berrange@redhat.com>
Cc: QEMU Developers <qemu-devel@nongnu.org>, Gerd Hoffmann <kraxel@redhat.com>

On 23 March 2015 at 22:58, Daniel P. Berrange <berrange@redhat.com> wrote:
> -    if (*payload_size < 126) {
> -        header_size = 6;
> -        mask = header->u.m;
> -    } else if (*payload_size == 126 && input->offset >= 8) {
> -        *payload_size = be16_to_cpu(header->u.s16.l16);
> -        header_size = 8;
> -        mask = header->u.s16.m16;
> -    } else if (*payload_size == 127 && input->offset >= 14) {
> -        *payload_size = be64_to_cpu(header->u.s64.l64);
> -        header_size = 14;
> -        mask = header->u.s64.m64;
> +    if (payload_len < 126) {
> +        *payload_remain = payload_len;
> +        *header_size = 6;
> +        *payload_mask = header->u.m;
> +    } else if (payload_len == 126 && input->offset >= 8) {
> +        *payload_remain = be16_to_cpu(header->u.s16.l16);
> +        *header_size = 8;
> +        *payload_mask = header->u.s16.m16;
> +    } else if (payload_len == 127 && input->offset >= 14) {
> +        *payload_remain = be64_to_cpu(header->u.s64.l64);
> +        *header_size = 14;
> +        *payload_mask = header->u.s64.m64;

We were already doing this before, but if this is a 32 bit
machine then the assignment to *payload_remain in this
case is going to be assigning a 64-bit value from the datastream
to a 32-bit size_t, which doesn't seem like a great idea
to just silently do, though I suppose the datastream is in
complete control of that value anyway.

-- PMM